This vulnerability has been received by the NVD and has not been analyzed.
Sustainsys.Saml2 room adds SAML2P enactment to ASP.NET web sites, allowing the web tract to enactment arsenic a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, erstwhile a effect is processed, the issuer of the Identity Provider is not sufficiently validated. This could let a malicious individuality supplier to trade a Saml2 effect that is processed arsenic if issued by different individuality provider. It is besides imaginable for a malicious extremity idiosyncratic to origin stored authorities intended for 1 individuality supplier to beryllium utilized erstwhile processing the effect from different provider. An exertion is impacted if they trust connected immoderate of these features successful their authentication/authorization logic: the issuer of the generated individuality and claims; oregon items successful the stored petition authorities (AuthenticationProperties). This contented is patched successful versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification tin beryllium utilized to adhd the validation required if an upgrade to patched packages is not possible.
CVSS 3.x Severity and Metrics:
Base Score: N/A
NVD score not yet provided.
CNA: GitHub, Inc.
0 alteration records recovered show changes